Router Challenge 195

8/6/2019 Router Challenge 195

1/28

Router Challenge 195Outline: This challenge involves an analysis of SSH.Objectives: The objectives of this challenge are to explain SSH.The TELNET protocol is insecure as the text is passed as plain text. An improved method isto use SSH, which encrypts data. It requires that the domain-name and an RSA key pair:# config tEnter configuration commands, one per line. End with CNTL/Z.(config)# hostname ap

ap(config)# username fred password bert

ap(config)# ip domain-name test.comap(config)# crypto key generate rsaHow many bits in the modulus [512]:% Generating 512 bit RSA keys ...[OK]

ap # show crypto key mypubkey rsa% Key pair was generated at: 00:39:47 UTC Mar 1 2002Key name: ap.test.comUsage: General Purpose Key

Key is not exportable.Key Data:305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00CE28A6 6697D889D28C19FD 3587872D ED4834F0 707B1D8F 944F665E 084DA46B 9D9C0BF4 E992059A521A750B B9C09A7F E14275B9 AA29B962 BB0CCCAA 9FA30168 7B020301 0001

% Key pair was generated at: 00:39:56 UTC Mar 1 2002Key name: ap.test.com.serverUsage: Encryption KeyKey is not exportable.Key Data:307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D56417 15E52D1C26C2CE81 B264D2C0 9C52AD73 90731CF7 34D122BC 59CD560F 9600714C E8DB3AA81D80B1E7 74E194B2 3F6C6EA8 8D1505DB 485AD29F A982AB04 950DD4CA ED113E5F78D60CFF 2B568C97 0CF21335 0DE55420 BD7929AE 763EDDB9 A1020301 0001

ap (config)# ip ssh ?authentication-retries Specify number of authentication retriesbreak-string break-stringport Starting (or only) Port number to listen onrsa Configure RSA keypair name for SSHsource-interface Specify interface for source address in SSH

connectionstime-out Specify SSH time-out intervalversion Specify protocol version to be supported

ap (config)# ip ssh time-out ? SSH time-out interval (secs)

ap (config)# ip ssh time-out 60ap (config)# ip ssh authentication-retries ?

Number of authentication retriesap (config)# ip ssh authentication-retries 2ap (config)# ip ssh version ?

Protocol version

ap (config)# ip ssh version 2ap (config)# line vty 0 4ap (config-line)# transport ?

input Define which protocols to use when connecting to the terminalserver

output Define which protocols to use for outgoing connectionspreferred Specify the preferred protocol to use

(config-line)# transport input ?

all All protocolsmop DEC MOP Remote Console Protocolnone No protocols


2/28

pad X.3 PADrlogin Unix rlogin protocolssh TCP/IP SSH protocoltelnet TCP/IP Telnet protocoludptn UDPTN async via UDP protocolv120 Async over ISDN

ap (config-line)# transport input sshap (config-line)# login ?

local Local password checkingtacacs Use tacacs server for password checking

ap (config-line)# login local

Cisco Router Challenge 196OutlineThis challenge involves the configuration of services on the router.Objectives

The objectives of this challenge are to:

Define encrypted passwords.

Define timestamps.

Disable TCP small services.

Disable UDP small services.

Disable CDP on an interface.

Disable ICMP on an interface.

Disable SNMP.

Restrict Web access.

Example> en# config t(config)# service ?

compress-config Compress the configuration fileconfig TFTP load config filesdhcp Enable DHCP server and relay agentdisable-ip-fast-frag Disable IP particle-based fast fragmentationexec-callback Enable exec callbackexec-wait Delay EXEC startup on noisy lines

finger Allow responses to finger requestshide-telnet-addresses Hide destination addresses in telnet commandlinenumber enable line number banner for each execnagle Enable Nagle's congestion control algorithmold-slip-prompts Allow old scripts to operate with slip/ppppad Enable PAD commandspassword-encryption Encrypt system passwordsprompt Enable mode specific promptpt-vty-logging Log significant VTY-Async eventssequence-numbers Stamp logger messages with a sequence numberslave-log Enable log capability of slave IPstcp-keepalives-in Generate keepalives on idle incoming network

connectionstcp-keepalives-out Generate keepalives on idle outgoing network

connections

tcp-small-servers Enable small TCP servers (e.g., ECHO)telnet-zeroidle Set TCP window 0 when connection is idletimestamps Timestamp debug/log messages


3/28


4/28

irdp ICMP Router Discovery Protocolload-sharing Style of load sharinglocal-proxy-arp Enable local-proxy ARPmask-reply Enable sending ICMP Mask Reply messagesmobile Mobile IP supportmrm Configure IP Multicast Routing Monitor testermroute-cache Enable switching cache for incoming multicast packetsmtu Set IP Maximum Transmission Unitmulticast IP multicast interface commandsnat NAT interface commandsnbar Network-Based Application Recognitionnext-hop-self Configures IP-EIGRP next-hop-selfnhrp NHRP interface subcommandsospf OSPF interface commands

pgm PGM Reliable Transport Protocolpim PIM interface commandspolicy Enable policy routingproxy-arp Enable proxy ARPrarp-server Enable RARP server for static arp entriesredirects Enable sending ICMP Redirect messagesrgmp Enable/disable RGMPrip Router Information Protocolroute-cache Enable fast-switching cache for outgoing packetsrouter IP router interface commandsrsvp RSVP Interface Commandsrtp RTP parameterssap Session Announcement Protocol interface commandssecurity DDN IP Security Optionsplit-horizon Perform split horizonsummary-address Perform address summarizationtcp TCP header compression and other parametersunnumbered Enable IP processing without an explicit addressunreachables Enable sending ICMP Unreachable messagesurd Configure URL Rendezvousingverify Enable per packet validationvrf VPN Routing/Forwarding parameters on the interfacewccp WCCP interface commands

(config-if)# no ip redirects(config-if)# no ip unreachables(config-if)# no ip mask-reply

To disable multiroute-cache:

(config-if)# no ip mroute-cache(config-if)# exit

To setup Web access from only a single host:(config)# access-list 5 permit host 192.168.1.1(config)# ip http server access-class 5

And to disable SNMP:

(config)# no snmp-server

Cisco Router Challenge 197OutlineThis challenge involves the configuration of RIP Version 2 with authenticated routing tables.ObjectivesThe objectives of this challenge are to:

Setup a RIP Version 2.


5/28

Define authentication for RIP.

Example> en# config t(config)# router rip(config-router)# version 2(config-router)# network 194.205.128.0(config-router)# ?Router configuration commands:

address-family Enter Address Family command modeauto-summary Enable automatic network number summarizationdefault Set a command to its defaultsdefault-information Control distribution of default informationdefault-metric Set metric of redistributed routesdistance Define an administrative distancedistribute-list Filter networks in routing updatesexit Exit from routing protocol configuration modeflash-update-threshold Specify flash update threshold in secondhelp Description of the interactive help systeminput-queue Specify input queue depthmaximum-paths Forward packets over multiple pathsneighbor Specify a neighbor routernetwork Enable routing on an IP networkno Negate a command or set its defaults

offset-list Add or subtract offset from IGRP or RIP metricsoutput-delay Interpacket delay for RIP updatespassive-interface Suppress routing updates on an interfaceredistribute Redistribute information from another routing

protocoltimers Adjust routing timerstraffic-share How to compute traffic share over alternate pathsvalidate-update-source Perform sanity checks against source address of

routing updatesversion Set routing protocol version

(config-router)# exit(config)# key ?

chain Key-chain managementconfig-key Set a private configuration key

(config)# key chain ?WORD Key-chain name

(config)# key chain martin(config-keychain)# ?Key-chain configuration commands:

default Set a command to its defaultsexit Exit from key-chain configuration modekey Configure a keyno Negate a command or set its defaults

(config-keychain)# key ? Key identifier

(config-keychain)# key 1(config-keychain-key)# ?

Key-chain key configuration commands:accept-lifetime Set accept lifetime of keydefault Set a command to its defaultsexit Exit from key-chain key configuration modekey-string Set key stringno Negate a command or set its defaultssend-lifetime Set send lifetime of key

(config-keychain-key)# key-string officer(config-keychain-key)# exit(config-keychain)# exit(config)# int e0(config-if)# ip rip ?

advertise Specify update intervalauthentication Authentication controlreceive advertisement receptionsend advertisement transmission


6/28

v2-broadcast send ip broadcast v2 update

(config-if)# ip rip authentication ?key-chain Authentication key-chainmode Authentication mode

(config-if)# ip rip authentication key-chain ?LINE name of key-chain

(config-if)# ip rip authentication key-chain martin(config-if)# ip rip authentication mode ?

md5 Keyed message digesttext Clear text authentication

(config-if)# ip rip authentication mode md5

Cisco Router Challenge 197OutlineThis challenge involves the configuration of RIP Version 2 with authenticated routing tables,and using a distribution-list with passive interfaces.ObjectivesThe objectives of this challenge are to:

Setup a RIP Version 2.

Define authentication for RIP.

Define a routing filter to limit the transmission of routing information.

Define a passive-interface for routing updates.

Example> en# config t(config)# access-list 10 permit 10.0.0.0 0.0.0.255

(config)# router rip(config-router)# distribution-list 10 in fa0/1(config-router)# passive-interface fa0/2(config-router)# version 2(config-router)# network 194.205.128.0(config-router)# exit(config)# key chain martin(config-keychain)# key 1(config-keychain-key)# key-string officer(config-keychain-key)# exit

(config-keychain)# exit(config)# int fa0/1(config-if)# ip rip authentication key-chain martin(config-if)# ip rip authentication mode md5

The passive-interface command stops the transmission of the routing tables on thespecified interface.

Cisco PIX Challenge 1Outline

This challenge involves the configuration of basic PIX details.


7/28

ObjectivesThe objectives of this challenge are to:

Setup the hostname.

Define the domain name.

Setup IP address of E0.

Enable E0.

Example (Version 6.x)# sh ip addSystem IP Addresses:

IP address outside 0.0.0.0IP address inside 0.0.0.0IP address inf2 0.0.0.0

Current IP Addresses:IP address outside 0.0.0.0IP address inside 0.0.0.0IP address inf2 0.0.0.0

# sh nameif# config t

(config)# help hosUSAGE:

hostname show hostname [fqdn]

DESCRIPTION:hostname Change host name

(config)# hostname freds(config)# domain-name fred.com(config)# help domain-USAGE:

[no] domain-name clear configure domain-name

DESCRIPTION:domain-name Change domain name

(config)# ip address outside 192.168.1.1 255.255.255.0(config)# interface e0 auto(config)# exit# show ip add

# show running# sh int e0Interface Ethernet0 outside, is up, line protocol is up

Hardware is i82559, BW 100 MbpsAuto-Duplex(Full-duplex), Auto-Speed(100 Mbps)MAC address 000d.6585.77d9, MTU 1500IP address 192.168.1.1, subnet mask 255.255.255.00 packets input, 0 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort1 packets output, 64 bytes, 0 underruns0 output errors, 0 collisions, 0 interface resets0 babbles, 0 late collisions, 0 deferred0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/0)output queue (curr/max blocks): hardware (0/1) software (0/1)Received 0 VLAN untagged packets, 0 bytes


8/28

Transmitted 1 VLAN untagged packets, 28 bytesDropped 0 VLAN untagged packets

Example (Version 7.x)# sh nameif# config t(config)# help hostnameUSAGE:

hostname show hostname [fqdn]DESCRIPTION:hostname Change host name

(config)# help domain-USAGE:

[no] domain-name clear configure domain-name

DESCRIPTION:

domain-name Change domain name

(config)# hostname ?configure mode commands/options:

WORD < 64 char Host name for this system. A hostname must start and end witha letter or digit and have as interior characters onlyletters, digits, or a hyphen.

(config)# hostname freds(config)# domain-name?configure mode commands/options:

WORD Domain names must begin and end with a digit/letter, only letters,digits, and hyphen are allowed as internal characters, labels areseparated by a dot. A maximum of 63 characters is allowed.

(config)# domain-name fred.com(config)# int e0(config-if)# help ipUSAGE:

[no] ip address [] [standby ][no] ip address dhcp [setroute] [retry ]show ip address [ | ]clear ip

DESCRIPTION:ip Set the ip address and mask for an interfaceSYNTAX: Device's network interface address Netmask of ip_address Device failover peer's network interface address Number of retries performed by dhcp client, default is 4: Interface hardware name as used by 'interface' command.

Composed of [/] or /[/]

: Interface name assigned by 'nameif' commandsee also: nameif, security-level

(config-if)# ip address outside 192.168.1.1 255.255.255.0(config-if)# help shut


9/28

USAGE:

[no] shutdownDESCRIPTION:shutdown Shutdown the selected interface

(config-if)# no shutdown(config-if)# exit(config)# exit# show ip add# sh ip add

System IP Addresses:IP address outside 192.168.1.1IP address inside 0.0.0.0IP address inf2 0.0.0.0

Current IP Addresses:IP address outside 0.0.0.0IP address inside 0.0.0.0IP address inf2 0.0.0.0

# show runningmyPIX # sh int e0Interface Ethernet0 outside, is up, line protocol is up

Hardware is i82559, BW 100 MbpsAuto-Duplex(Full-duplex), Auto-Speed(100 Mbps)MAC address 000d.6585.77d9, MTU 1500

IP address 192.168.1.1, subnet mask 255.255.255.00 packets input, 0 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort1 packets output, 64 bytes, 0 underruns0 output errors, 0 collisions, 0 interface resets0 babbles, 0 late collisions, 0 deferred0 lost carrier, 0 no carrierinput queue (curr/max blocks): hardware (128/128) software (0/0)output queue (curr/max blocks): hardware (0/1) software (0/1)Received 0 VLAN untagged packets, 0 bytesTransmitted 1 VLAN untagged packets, 28 bytesDropped 0 VLAN untagged packets

myPIX # sh int e1Interface Ethernet1 inside, is down, line protocol is down

Hardware is i82559, BW 100 MbpsAuto-Duplex(Full-duplex), Auto-Speed(100 Mbps)MAC address 000d.6585.77d9, MTU 1500IP address 0.0.0.0, subnet mask 255.255.255.00 packets input, 0 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort1 packets output, 64 bytes, 0 underruns0 output errors, 0 collisions, 0 interface resets0 babbles, 0 late collisions, 0 deferred0 lost carrier, 0 no carrierinput queue (curr/max blocks): hardware (128/128) software (0/0)output queue (curr/max blocks): hardware (0/1) software (0/1)

Received 0 VLAN untagged packets, 0 bytesTransmitted 1 VLAN untagged packets, 28 bytesDropped 0 VLAN untagged packets

Cisco PIX Challenge 2OutlineThis challenge involves the configuration of basic PIX details (E1 and E2).Objectives



10/28

Define the IP address and subnet mask of E1.

Define the IP address and subnet mask of E2.

Example (Ver 6.x)> enable# nameif# config t(config)# ip address inf2 192.168.1.1 255.255.255.0(config)# ip address inside 10.0.1.1 255.255.0.0(config)# interface e1 auto(config)# interface e2 auto(config)# exit# show ip# show running# sh int e1Interface Ethernet1 inside, is up, line protocol is up

Hardware is i82559, BW 100 MbpsAuto-Duplex(Full-duplex), Auto-Speed(100 Mbps)MAC address 000d.6585.77d9, MTU 1500IP address 192.168.1.1, subnet mask 255.255.255.00 packets input, 0 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort1 packets output, 64 bytes, 0 underruns0 output errors, 0 collisions, 0 interface resets0 babbles, 0 late collisions, 0 deferred0 lost carrier, 0 no carrierinput queue (curr/max blocks): hardware (128/128) software (0/0)output queue (curr/max blocks): hardware (0/1) software (0/1)Received 0 VLAN untagged packets, 0 bytesTransmitted 1 VLAN untagged packets, 28 bytesDropped 0 VLAN untagged packets

Example (Ver 7.x)

> enable# sh nameif# config t(config)# int e1(config-if)# ip address outside 192.168.1.1 255.255.255.0(config-if)# no shutdown(config-if)# exit(config)# int e2(config-if)# ip address outside 192.168.2.1 255.255.255.0(config-if)# no shutdown(config-if)# exit(config)# exit

# show ip add# show running# sh int e1Interface Ethernet1 inside, is up, line protocol is up

Hardware is i82559, BW 100 MbpsAuto-Duplex(Full-duplex), Auto-Speed(100 Mbps)MAC address 000d.6585.77d9, MTU 1500IP address 192.168.1.1, subnet mask 255.255.255.00 packets input, 0 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort1 packets output, 64 bytes, 0 underruns0 output errors, 0 collisions, 0 interface resets0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrierinput queue (curr/max blocks): hardware (128/128) software (0/0)output queue (curr/max blocks): hardware (0/1) software (0/1)


11/28

Received 0 VLAN untagged packets, 0 bytesTransmitted 1 VLAN untagged packets, 28 bytesDropped 0 VLAN untagged packets

Cisco PIX Challenge 3OutlineThis challenge involves the configuration of basic PIX details (names of interfaces, securitylevels, and so on).


Define the name of each of the interfaces.

Example (Ver 6.x)> enable# nameif# config t(config)# nameif e0 mars security0(config)# nameif e1 pluto security100(config)# nameif e2 jupiter security50(config)# help usernameUSAGE:

username {nopassword|password [encrypted]} [privilege ]

no username [no] username attributesclear configure username []

show running-config [all] username [ [attributes]]DESCRIPTION:username Configure user authentication local databaseSYNTAX: The name of the user. A minimum of 4 characters is required.

A maximum of 64 characters is allowed. Indicates that this user has no password The password for this userencrypted Indicate the entered is encrypted The privilege level for this userattributes Enter the attributes sub-command mode

(config)# username fred password bert(config)# exit# show running

Example (Ver 7.x)> enable# nameif# config t(config)# int e0(config-if)# nameif mars(config-if)# security-level 0(config-if)# exit(config)# int e1


12/28

(config-if)# nameif pluto(config-if)# security-level 100(config-if)# exit(config)# int e2(config-if)# help nameifUSAGE:

nameif no nameif []show running-config [all] nameif []show nameif []clear nameif

DESCRIPTION:nameif Assign name to interfaceSYNTAX:

A name by which this interface will be referred in allother commands

: Interface identifier as used in the 'interface' command.see also: security-level, interface, static, global, nat

(config-if)# nameif jupiter

(config-if)# help security-levelUSAGE:

security-level no security-level []

DESCRIPTION:security-level Specify security level of interfaceSYNTAX: The security level of this interface from 0 to 100.

The relative security level between two interfaces determinesthe way the Adaptive Security Algorithm is applied.A lower security_level interface is outside relative to a higherlevel interface and equivalent interfaces are outside to eachother.

see also: nameif

(config-if)# security-level 50(config-if)# exit(config)# help usernameUSAGE:

username {nopassword|password [encrypted]} [privilege ]

no username [no] username attributesclear configure username []show running-config [all] username [ [attributes]]

DESCRIPTION:username Configure user authentication local databaseSYNTAX: The name of the user. A minimum of 4 characters is required.

A maximum of 64 characters is allowed. Indicates that this user has no password

The password for this userencrypted Indicate the entered is encrypted The privilege level for this user


13/28

attributes Enter the attributes sub-command mode

(config)# username fred password bert(config)# exit# show running# show running user

Cisco PIX Challenge 5OutlineThis challenge involves the configuration of a static route, and some banners.ObjectivesThe objectives of this challenge are to:

Define a static route.

Define banners.

Example

mypix(config)# help routeUSAGE:

[no] route [|tunneled]

clear configure route []clear route []show running-config routeshow route []

DESCRIPTION:route Enter a static route for an interfaceSYNTAX: The interface name, as specified by the 'nameif' command,

for which the route will apply The foreign network for this route, 0 means default The netmask for the destined foreign network The address of the gateway by which is reached Distance metric for this route, default is 1

tunneled Specifies route as the default tunnel gateway for VPN traffic.see also: rip, ping

pixfirewall(config)# route inside 10.0.0.0 ?configure mode commands/options:

A.B.C.D The netmask for the destined foreign network

pixfirewall(config)# route inside 10.0.0.0 255.255.0.0 ?configure mode commands/options:

Hostname or A.B.C.D The address of the gateway by which the foreign networkis reached.

pixfirewall(config)# route inside 10.0.0.0 255.255.0.0 206.59.124.10 ?

configure mode commands/options:

Distance metric for this route, default is 1


14/28

tunneled Enable the default tunnel gateway option, metric is setto 255

myPIX (config)# route outside 10.0.0.0 255.255.0.0 206.59.124.10myPIX (config)# show route

myPIX (config)# banner motd admin devicemyPIX (config)# banner login personal devicemyPIX (config)# banner exec main devicemyPIX (config)# show domain-name

myPIX (config)# domain-name dumfries.eu

Cisco PIX Challenge 6OutlineThis challenge involves the configuration of Telnet, SSH and Console timeouts.ObjectivesThe objectives of this challenge are to:

Setup the hostname.

Define the domain name.

Define the Telnet timeout.

Define the SSH timeout.

Define the Console timeout.

Example

myPIX (config)# hostname arizona

arizona (config)# domain-name fife.nuarizona (config)# show domain-name

myPIX (config)# help telnetUSAGE:

[no] telnet telnet timeout no telnet timeout []

DESCRIPTION:telnet Add telnet access to device console and set idle timeout

SYNTAX: The ip address of the host and/or network authorized to

login to the device The IP netmask to apply to . Network interface name. Idle time in minutes after which a telnet session will be closed.

Default is 5 minutes.see also: ssh, password, aaa

arizona (config)# telnet timeout 8arizona (config)# help ssh


15/28

USAGE:

[no] ssh [no] ssh timeout [no] ssh version 1|2[no] ssh scopy enableshow ssh sessions []ssh disconnect

DESCRIPTION:ssh Add SSH access to the Device console, set idle timeout, set

version supported, enable Secure Copy as an SSH application,display a list of active SSH sessions, and terminate an SSH

session.SYNTAX: The IP address of the host and/or network authorized to

login to the Device. The IP netmask to apply to . Network interface name. Idle time in minutes after which a SSH session will be closed. The IP address of the SSH client. Session ID as displayed by the 'show ssh sessions' command.see also: telnet, password, enable, aaa

arizona (config)# ssh timeout 9pixfirewall(config)# help consoleUSAGE:

[no] console timeout DESCRIPTION:console Set idle timeout for the serial console of the PIX

SYNTAX: Valid range . For , console session will be

closed after idle time of minutes. consolewill never close for timeout

see also: telnet, ssh, passwd, aaa

arizona (config)# console timeout 9arizona (config)# show telnetarizona (config)# show ssharizona (config)# show console

Cisco PIX Challenge 7OutlineThis challenge involves the configuration of the security levels on the interfaces.ObjectivesThe objectives of this challenge are to:

Rename the interfaces, and define the security level on each interface.


16/28

Note: A port with the name of outside always has a security level of 0, while a port with thename of inside always has a security level of 100.Example (Ver 6.x)

myPIX (config)# nameif e0 strathclyde security24myPIX (config)# nameif e1 orkney security61myPIX (config)# nameif e2 rhodeisland security44

Example (Ver 7.x)> enable# nameif# config t(config)# int e0(config-if)# nameif strathclyde(config-if)# security-level 24(config-if)# exit(config)# int e1(config-if)# nameif orkney(config-if)# security-level 61(config-if)# exit(config)# int e2(config-if)# nameif rhodeisland(config-if)# security-level 44(config-if)# exit(config)# exit# show running


This challenge involves the configuration of a shutdown on the interfaces.ObjectivesThe objectives of this challenge are to:

Define the names of the interfaces.

Shutdown each of the interfaces.

Example (6.x)

myPIX (config)# nameif e0 gretna security0myPIX (config)# nameif e1 alabama security100myPIX (config)# nameif e2 uranus security50myPIX (config)# show nameif

myPIX (config)# interface e0 auto shutmyPIX (config)# interface e1 auto shutmyPIX (config)# interface e2 auto shutmyPIX (config)# show intmyPIX (config)# show int e0myPIX (config)# show int e1

myPIX (config)# show int e2


17/28

Example (Ver 7.x)> enable# nameif# config t(config)# int e0(config-if)# nameif gretna(config-if)# security-level 0(config-if)# shutdown(config-if)# exit(config)# int e1

(config-if)# nameif alabama(config-if)# security-level 100(config-if)# shutdown(config-if)# exit(config)# int e2(config-if)# nameif uranus(config-if)# security-level 50(config-if)# shutdown(config-if)# exit(config)# exit# show running

Cisco PIX Challenge 9OutlineThis challenge involves the configuration of interfaces for various settings, such as duplex,speed, and so on.ObjectivesThe objectives of this challenge are to:

Define the names of the interfaces.

Define the basic operation of the interfaces.

Example (Ver 6.x)

myPIX (config)# nameif e0 hawaii security0myPIX (config)# nameif e1 alberta security100myPIX (config)# nameif e2 orkney security50

myPIX (config)# interface e0 100full

myPIX (config)# interface e1 100fullmyPIX (config)# interface e2 100full

Example (Ver 7.x)> enable# nameif# config t(config)# help interfaceUSAGE:

interface interface .no interface .


18/28

show running-config [default] interface { [.]}show interface { [.] | }

[detail|stats|ip brief]clear config interface { [.]}clear interface { [.]}

DESCRIPTION:interface Set network interface parameters

show/clear interface countersshow brief summary of IP status and configuration

SYNTAX:

Type of interface to be configuredPossible values: Ethernet, GigabitEthernet

Port number. Refer to the appropriate hardware manual forport information

Subinterface number in the range 1 to 4,294,967,293 Interface name assigned by 'nameif' commandWARNING! Using 'no' on a Subinterface will remove the interfacefrom the system. Removing a Subinterface will delete allconfiguration rules applied to the interface. Exercise caution whenusing the 'no interface' command.see also: allocate-interface

(config)# int e0(config-if)# nameif gretna(config-if)# security-level 0(config-if)# help duUSAGE:

duplex auto|full|halfno duplex [auto|full|half]

DESCRIPTION:duplex Configure duplex operation

SYNTAX:auto Enable AUTO duplex configurationfull Force full duplex operationhalf Force half-duplex operationsee also: speed

(config-if)# duplex full(config-if)# help speedUSAGE:

speed 10|100|1000|autono speed [10|100|1000|auto]

DESCRIPTION:speed Configure speed operationSYNTAX:Possible Ethernet values are:10 Force 10 Mbps operation100 Force 100 Mbps operationauto Enable AUTO speed configurationPossible GigabitEthernet values are:10 Force 10 Mbps operation100 Force 100 Mbps operation

1000 Force 1000 Mbps operationauto Enable AUTO speed configuration


19/28

see also: duplex

(config-if)# speed 100(config-if)# exit(config)# int e1(config-if)# nameif alabama(config-if)# security-level 100(config-if)# duplex full(config-if)# speed 100(config-if)# exit(config)# int e2(config-if)# nameif uranus(config-if)# security-level 50(config-if)# duplex full(config-if)# speed 100(config-if)# exit(config)# exit# show running


This challenge involves the configuration of the DHCP server.ObjectivesThe objectives of this challenge are to:

Enable the DHCP server.

Define DHCP parameters.

Show DHCP parameters.

Example

myPIX (config)# help dhcpdUSAGE:

dhcpd address [-] dhcpd dns []dhcpd wins []dhcpd lease dhcpd ping_timeout dhcpd domain dhcpd option {ascii | hex |

ip []}dhcpd enable dhcpd auto_config show dhcpd [binding|statistics]clear dhcpdclear dhcpd [binding|statistics]

DESCRIPTION:dhcpd Configure DHCP ServerSYNTAX:

Start address of the DHCP address pool End address of the DHCP address pool DNS server IP address


20/28

NetBios name server IP address DHCP lease length in seconds Ping timeout in milliseconds DNS domain name positive number representing the DHCP option code ASCII string without whitespace hexadecimal string without whitespace IP address IP address Interface to enable DHCP server Interface to retrieve DHCP client info

myPIX (config)# dhcpd enablemyPIX (config)# dhcpd address 197.174.60.2-197.174.60.22 insidemyPIX (config)# dhcpd wins 195.94.110.3myPIX (config)# dhcpd lease 6myPIX (config)# dhcpd domain athome.commyPIX (config)# show dhcpd

Cisco PIX Challenge 10OutlineThis challenge involves the configuration of the DHCP server.


Enable the DHCP server.

Define DHCP parameters.

Show DHCP parameters.

Example

myPIX (config)# help dhcpdUSAGE:

dhcpd address [-] dhcpd dns []dhcpd wins []dhcpd lease dhcpd ping_timeout dhcpd domain dhcpd option {ascii | hex |

ip []}dhcpd enable dhcpd auto_config show dhcpd [binding|statistics]clear dhcpdclear dhcpd [binding|statistics]

DESCRIPTION:dhcpd Configure DHCP ServerSYNTAX:

Start address of the DHCP address pool End address of the DHCP address pool DNS server IP address

NetBios name server IP address DHCP lease length in seconds Ping timeout in milliseconds


21/28

DNS domain name positive number representing the DHCP option code ASCII string without whitespace hexadecimal string without whitespace IP address IP address Interface to enable DHCP server Interface to retrieve DHCP client info

myPIX (config)# dhcpd enablemyPIX (config)# dhcpd address 197.174.60.2-197.174.60.22 insidemyPIX (config)# dhcpd wins 195.94.110.3myPIX (config)# dhcpd lease 6

myPIX (config)# dhcpd domain athome.commyPIX (config)# show dhcpd

Cisco PIX Challenge 13OutlineThis challenge involves the configuration of NAT.Objectives


Define inside address range.

Define outside address range.

Show NAT parameters.

Show Global parameters.

Example (Ver 6.x)

myPIX (config)# help natUSAGE:

[no] nat () [][dns] [outside][[tcp] [ []]][udp ]

[no] nat (if_name) access-list [dns] [outside][[tcp] [ []]][udp ]

DESCRIPTION:

nat Associate a network with a pool of global IP addressesSYNTAX: The name of the network interface, as specified by 'nameif',

where the hosts/network designated by are accessed. The id of this group of hosts or networks. This id will

be referenced by the 'global' command to associate a globalpool with this command. The id '0' is reserved to indicate(i) no address translation with the access-list option or(ii) identity translation for the option. Themaximum nat_id with access-list is 65535. The maximumnat_id without access-list is 2147483647.

The hosts/networks in this group.

'0' indicates all networks or the default group


22/28

An IP address not found in a more explicit groupwill default to a less explicit or '0', the least explicit

The IP netmask to apply to .dns Use the created xlate to rewrite DNS address record.tcp TCP connections.udp UDP connections. The maximum number of simultaneous connections.

the hosts will each be allowed to use.Idle connections are closed after the time specified by the

timeout conn command. The maximum number of embryonic connections per host.

An embryonic connection is a connection request that has notfinished the necessary handshake between source and destination.

norandomseq Disable TCP sequence number randomization. access-list name.see also: access-list, apply, global

myPIX (config)# nat ?

configure mode commands/options:( Open parenthesis for the name of the network interface wherethe hosts/network designated by the local IP address are accessed

myPIX (config)# nat (inside) ?configure mode commands/options:

The of this group of hosts/networks. This will be referenced by the global command to associate aglobal pool with the local IP address. '0' is usedto indicate no address translation for local IP. The limitis 65535 with access-lists

myPIX (config)# nat (inside) 1 ?configure mode commands/options:

Hostname or A.B.C.D The hosts/networks in this group, '0' indicatesall networks or the default group

access-list Specify access-list name after this keyword

myPIX (config)# nat (inside) 1 143.163.128.0 ?configure mode commands/options:

A.B.C.D IP netmask to apply to the local IP address

myPIX (config)# nat (inside) 1 143.163.128.0 255.255.192.0myPIX (config)# help globalUSAGE:

[no] global () {[-] [netmask

]} | interfaceDESCRIPTION:global Specify, delete or view global address pools,

or designate a PAT(Port Address Translated) addressSYNTAX: The external network interface name The id of the nat group(from the nat command) that

will draw from these global addresses The IP address, network or range of addresses that will

dynamically be translated on an as needed basis to hostsin the nat group .If this is connected to the Internet, the


23/28

should be registered with the Network InformationCenter(NIC).These addresses should also be reverse resolvable(in-addr.arpa)on the outside DNS servers.An address specified singly will be used as a PAT address.When all of the non-PAT addresses of a global pool are in useand there is a PAT address, subsequent hosts from the natgroup will share the single PAT address for up tothe number of licensed connections.[netmask ] The netmask of the global_ip.

interface IP address of overloaded for PAT.see also: nat, alias, static

myPIX (config)# global ?configure mode commands/options:

( Open parenthesis for the external network interface name

myPIX (config)# global (outside) 3 ?configure mode commands/options:

WORD Enter IP address or a range of IP addresses [-]interface Specifies PAT using the IP address at the interface

myPIX (config)# global (outside) 3 137.68.10.3-137.68.10.23 ?configure mode commands/options:

netmask Specify netmask for the IP address(es) after this keyword

myPIX (config)# global (outside) 3 1.2.3.4 net ?configure mode commands/options:

A.B.C.D Netmask for the IP address(es)

myPIX (config)# global (outside) 3 137.68.10.3-137.68.10.23 netmask255.255.255.0

myPIX (config)# show natmyPIX (config)# show global

Example (Ver 7.x)

As Ver 6.0, but replace show nat and show global with:

myPIX (config)# show running natmyPIX (config)# show running global

Cisco PIX Challenge 14OutlineThis challenge involves the configuration of a static route.


Define the IP address and subnet mask of the interfaces.

Define a static mapping.

Example (Ver 6.x)

myPIX (config)# ip address outside 84.120.11.5 255.128.0.0

myPIX (config)# ip address inside 10.10.0.1 255.128.0.0myPIX (config)# ip address inf 172.16.0.1 255.128.0.0


24/28

myPIX (config)# show ip addressmyPIX (config)# static (inside, outside) 84.120.11.15 211.204.152.13myPIX (config)# show static

Example (Ver 7.x)

myPIX (config)# int e0myPIX (config-if)# ip address 84.120.11.5 255.128.0.0myPIX (config-if)# nameif outside

myPIX (config-if)# int e1

myPIX (config-if)# ip address 10.10.0.1 255.128.0.0myPIX (config-if)# nameif inside

myPIX (config-if)# int e2myPIX (config-if)# ip address 172.16.0.1 255.128.0.0myPIX (config-if)# nameif inf2myPIX (config-if)# exit

myPIX (config)# show ip address

myPIX (config)# help static

USAGE:[no] static [(real_ifc, mapped_ifc)]

{|interface}{ [netmask ]} | {access-list }[dns][[tcp] [ [ [nailed]]]][udp ]

[no] static [(real_ifc, mapped_ifc)] {tcp|udp}{|interface} { [netmask ]} |{access-list }[dns][[tcp] [ [ [nailed]]]][udp ]

DESCRIPTION:static Configure one-to-one address translation ruleSYNTAX:

Name of the network interface, as specified by 'nameif',where the hosts or networks designated by orsources in access-list are accessed.

Name of the network interface, as specified by 'nameif',

where the or by the source in access-list aretranslated into .

tcp TCP static PAT.udp UDP static PAT. Address as configured at the actual host. Port as viewed from the actual host. Masquerade address of the or of the source

address in access-list. The IP netmask to apply to .

Masquerade port of the or of the sourceport in access-list.


25/28

interface Address taken from . Masquerade port of the or of the source

port in access-list. The access-list name with the source fields defining

the real address and real port, if applicable,before translation.

dns Rewrite DNS address record.norandomseq Disable TCP sequence number randomization.nailed Allow TCP sessions for asymmetrically routed traffic

The maximum number of simultaneous TCP connections that

each hosts will each be allowed to use. Idleconnections are closed after the time specified by thetimeout conn command.

Maximum number of embryonic connections per host. An

embryonic connection is a connection request that has notcompleted TCP 3-way handshake between source anddestination.

see also: nat, global

myPIX (config)# static ?

configure mode commands/options:( Open parenthesis for (,) pairwhere is the Internal or prenat interface and is the External or postnat interface

myPIX (config)# static (inside, outside) 84.120.11.15 211.204.152.13myPIX (config)# show running static


This challenge involves the configuration of the activation key.ObjectivesThe objectives of this challenge are to:

Configure the activation key.

Show the activation key.

Example

myPIX # help activation-keyUSAGE:

activation-key show activation-key

DESCRIPTION:activation-key Modify activation-key.

SYNTAX:

a four or five element hexadecimal string.myPIX (config)# activation-key 1aa3aaab abfbcef1 133445ee ee56f6b0


26/28

myPIX (config)# show activation-key

Cisco PIX Challenge 16OutlineThis challenge involves the configuration of an access-list.ObjectivesThe objectives of this challenge are to:

Define a named access-list.

Apply the access-list onto an interface.

Example

myPIX (config)# help access-lUSAGE:

Extended access list:Use this to configure policy for IP traffic through the firewall

[no] access-list [line ] [extended] {deny | permit}

{ | object-group }{host | |object-group }[ [] |object-group ]{ | object-group }[ [] |object-group ][log [disable] | [] | [default] [interval ]]

[no] access-list [line ] {deny | permit} icmp{host | |object-group }{ | object-group }[ | object-group ][log [disable] | [] | [default] [interval ]]

[no] access-list webtype {deny|permit}url {|any} [log {disable | default | level}[interval ]] [time-range ] [inactive]

[no] access-list webtype {deny | permit>tcp {host | | any}[{{EQ | NEQ | LT | GT} | RANGE }][log {disable | default | } [interval ]][time-range ] [ inactive ]

[no] access-list [line ] remark

access-list deny-flow-max access-list alert-interval Standard access list:

Use this to configure policy having destination host or network only[no] access-list standard {deny|permit} {any | | host }[no] access-list remark Generic Commands:show access-list []show running-config access-list

[alert-interval | deny-flow-max | ]clear configure access-list []

clear access-list [ [counters]]


27/28

DESCRIPTION:access-list Add an access listSYNTAX:

Access list number Specify line number at which ACE should be entered Use this to configure Web related policydeny Denies access if the conditions are matched.

permit Permits access if the conditions are matched.object-group Keyword for specifying an object group.obj_grp_id Identifier of an existing object group.remark Specify a comment (remark) The IP protocol name or number that will be open

udp is 17, tcp is 6, egp is 47, etc. Source IP address Mask to be applied to Destination IP address Mask to be applied to Compares or ports. Possible operands

include lt (less than), gt (greater than), eq (equal), neq(not equal), and range (inclusive range).

The decimal number or name of a TCP or UDP port comment (remark)log Keyword for enabling log option on this ACL element.

disable Keyword for disabling log option on this ACL element.default Keyword for set log option on this ACL element to

default values. Optional syslog level (0-7); default level is 6.interval Keyword for specifying log interval. Optional log interval value (1-600); default is 300. 0 echo-reply,

3 unreachable,4 source-quench,

5 redirect,6 alternate-address,8 echo,9 router-advertisement,10 router-solicitation,11 time-exceeded,12 parameter-problem,13 timestamp-request,14 timestamp-reply,15 information-request,16 information-reply,17 address-mask-request,18 address-mask-reply,31 conversion-error or

32 mobile-redirectsee also: access-group, object-group


28/28

myPIX (config)# access-list uranus permit ip host 26.32.188.8 host129.67.195.1

myPIX (config)# access-list uranus deny ip host 201.122.28.7 host209.215.90.6

myPIX (config)# help access-gUSAGE:

[no] access-group interface [per-user-override]DESCRIPTION:access-group Bind an extended access-list to an interface to filter inbound trafficSYNTAX:

Extended access list number Inbound or Outbund access list Name of the interfaceper-user-override Allow AAA downloaded per-user ACL to override

see also: access-list, object-groupmyPIX (config)# access-group uranus in interface outside

Documents

Router Challenge 195